Data security is not an IT problem?

April 24, 2014January 10, 2017

It’s like blaming a knife and fork for obesity

By Shawn Allaway, CEO

Companies need to view the epidemic of data breaches with a similar approach to controlling one’s weight. Unless there are systemic corporate “lifestyle” changes, the problem will continue to be a pervasive and costly nuisance to the economy. There are no quick fixes here. Of course, there will be millions and millions of dollars spent on upgrading security technology, but like fad diets and pills, the effects will most likely be short-lived. To my point, there have been many high profile data breaches dating back many years, but doesn’t it seem like the problem has gained momentum recently?

With the increased demand for cloud based services, the risk becomes greater. We are starting to fully realize the interconnected costs of data exfiltration. It’s not just a temporary market blip on a quarterly earnings report but ripples through supporting industries and, ultimately, the consumer. Take a moment to think of the cost and hassle of replacing just one credit card. If you are like me, you have subscriptions and memberships tied to a card, so when one card gets replaced it’s a hassle to update your billing information on the associated accounts. Inevitably I get a call or email from these accounts letting me know that my credit card is no longer valid and to please update my billing information. It is just enough inconvenience to tick me off. Sound like whining? Perhaps, but it does have a cost since it shakes consumer trust and behavior, albeit temporarily.

As companies reevaluate how to protect their (and our) data, it has to be addressed not just as an IT issue, but holistically as a business issue. Yes, CIO’s, CFO’s and CEO’s all must take ownership of the problem and work in concert to devise a data protection makeover, which includes technology, best practices, and accountability. To simply blame IT for a breach is like blaming your fork when you put on 20 pounds. It goes beyond your security tools and deep into the psyche of the company. There has to be a genuine desire to minimize the risk of data exfiltration beyond the shallow “we’re sorry” letters to our customers which are viewed, right or wrong, as purely PR damage control.

Now, in fairness to companies, transparency is a fine line. Disclosing too much information may not be in the best interest of shareholder or customers alike. However, if enterprises were truly sorry they would openly work together and share best practices and policies to build a better security framework. A rising tide floats all boats and this issue requires a sea change to start to control in earnest.

Can’t happen? Sure it can. You saw how quickly major players rose up against the NSA surveillance program. The irony that it took a data breach to bring that little assault on personal freedoms to light is not lost on me. The Snowden effect has negatively impacted global business and trust.

Getting back to my argument, if any one organization, CIO, CSO or person claims they have it all figured out with respect to having a bulletproof data security solution, is most likely fooling themselves or trying to fool you. If you encounter one of these types (they usually emphasize their point by holding up both hands and confidently stating “Yeah, we are all set.”), simply ask them to fire up their corporate Twitter account and tweet out a challenge to hackers. Watch the tap dancing and deflection that follows. Quite enjoyable.

However, this is not just a corporate issue. Individuals and consumers need to be more proactive and vigilant in protecting their personal information, as well. I will be the first to say I have uttered the words “my credit card company is protecting my account, so I’m OK.” While that might be true, this sentiment creates a lax attitude. After all, bad actors exploit our inherit trust in the system, so we must also bear responsibility in protecting ourselves. It is the basics; change your passwords frequently, do not share your information, be careful what you post online, etc. We can also vote with our wallets and force retailers who haven’t protected our data well to pay the price of lost sales or a lost customer. Now that has the power to make things happen.

Will people do it? Probably not and companies have figured that out too, so we have some culpability. However, I know of a few people personally who have stopped shopping at certain retailers because of data breaches. So, if I know a few people, there must be a lot more. We all should do a better job holding ourselves and the organizations accountable.

As long as there is valuable data to be had, there will be bad actors who will break laws to get it for personal gain. That’s a flaw in the human condition, so we can only do our best to protect ourselves and our data.

Breaches are inevitable, but not uncontrollable. If we all keep the pressure on enterprises to put as much energy into minding our data as they do in mining it, we can make a difference.